Senior Systems Security Engineer and Vulnerability Researcher

Job Summary:

We are in search of a skilled Senior Systems Security Engineer & Vulnerability Researcher, with specialized knowledge in OS security, container security, hypervisor security, and process sandboxing. The role necessitates strong offensive security capabilities in detecting and exploiting vulnerabilities, specifically within the Internet Computer (IC) platform and its operation environments.

The ideal candidate will be responsible for in-depth security research, executing vulnerability assessments, developing exploits, and consistently enhancing the security posture of the IC platform.

This role is a combination of onsite and remote work (3 days onsite), situated at our San Francisco office.

Primary Duties:

Hypervisor & Virtualization Security:

• Investigate and counteract security vulnerabilities in QEMU-based virtualization, VM isolation, and issues related to guest-to-host escape.
• Evaluate potential attack areas within virtual machines, hypervisors, and inter-VM communication channels.
• Develop and validate exploitation techniques aiming at vulnerabilities in hypervisors, container escapes, and side-channel leakage.
• Design and advance secure VM execution models and Trusted Execution Environments (TEEs) utilizing AMD SEV-SNP for enforcing strong VM isolation and safeguarding workloads from compromised hypervisors.

Operating System & Process Isolation Security:

• Fortify Linux OS security by enhancing process isolation, sandboxing, and syscall filtering.
• Upgrade Mandatory Access Control (MAC) policies (like SELinux) to enforce enhanced access controls.
• Research and enhance sandboxing strategies to confine untrusted processes.
• Identify and mitigate kernel privilege escalation routes, particularly in containerized and virtualized environments.

Vulnerability Research & Exploit Development:

• Engage in reverse engineering, binary analysis, and fuzzing to uncover vulnerabilities across OS, hypervisor, and VM layers.
• Develop proof-of-concept (PoC) exploits for validating security threats and recommend mitigation tactics.
• Critically analyze and enhance secure boot mechanisms, firmware security, and disk encryption strategies in virtualized environments.

Security Strengthening & Mitigations:

• Collaborate with engineers to outline and implement hypervisor and VM security enhancement strategies.
• Propose resilient runtime environments aimed at counteracting modern attack methods.
• Stay updated on emerging threats concerning virtualization security, container security, and OS sandboxing.

Red Team Strategy & Operations:

• Lead and formulate advanced Red Team initiatives targeting Internet Computer Protocol, governance, subnets, nodes, and system dApps.
• Develop plans for adversary emulation to assess platform and infrastructure defenses, identifying weaknesses proactively.

Prerequisites:

• Profound understanding of Linux security internals involving kernel attack surfaces, syscall security, privilege segregation, and process isolation.
• Expertise in QEMU/KVM security, guest-to-host escapes, hypervisor fortification, and VM isolation methods.
• Hands-on experience analyzing hypervisor-level attacks, VM evasion tactics, and security measures in virtualization.
• Familiarity with side-channel vulnerabilities affecting virtualization environments like Spectre, Meltdown, L1TF, MDS.
• Proficiency in Trusted Execution Environments (TEE) and secure virtualization, emphasizing QEMU and AMD SEV-SNP.
• Experience with reverse engineering tools (e.g., Ghidra, IDA Pro, Binary Ninja, binwalk) and fuzzing frameworks.
• Competence in adversary emulation, lateral movement techniques, privilege escalation, and exfiltration practices.
• Expertise in securing containerized environments, covering Kubernetes security, container fortification, and runtime protection.

Compensation and Benefits:

Base Salary Range: $175,000 - $240,000 per year. Total compensation at DFINITY includes base salary plus bonus, dependent on factors like job level, expertise, educational background, experience, and location.

Inclusive of cash components, we offer comprehensive benefits such as top-tier medical, dental, vision insurance, disability insurance, life insurance, 401(k) plan, flexible PTO policy, and paid holidays.

About DFINITY and the Internet Computer:

DFINITY is at the forefront of advancing the Internet Computer Protocol (ICP), dedicated to bringing the world's compute onto the secure ICP network. Leveraging groundbreaking blockchain technology, ICP enables the creation and operation of a new era of tamper-proof, decentralized web applications. With the capability to run entire AI models within smart contracts, ICP represents a significant leap in secure AI functioning. Through seamless integration with key networks, ICP facilitates multi-chain operations for digital assets and web3.

Join Our Team:

DFINITY, established in 2016 by entrepreneur Dominic Williams, boasts a team of over 250 talented individuals committed to shaping the future of the internet and web3. Our team comprises renowned cryptographers, distributed systems engineers, programming language experts, and industry trailblazers.

DFINITY is an equal opportunity employer.